Securing The Reputation Management in WINNOWING P2P Scheme Nawaf Almudhahka Matthew Locklear Agenda • • • • • • • • • • Overview Motivation Assumptions & Threat Model Approach Security Analysis of TVC Model Description Results Conclusion Future Work Questions Overview • WINNOWING is DHT-Based P2P file sharing system in which the peers maintains index records (file related info). • The index records are maintained Index Nodes (IN hereafter) and have two types: 1. Content record: <H(file), publisher info(IP, clientID, TCP_port) > Keyword record: <H(keyword), H(file), metadata> 2. The value H(file) is the content key, while the value H(keyword) is the keyword key. Overview • An owner of a file should place a request to the content IN and the keyword IN before publishing a file. • The INs verify that the publisher is from a live (nonspoofed) IP. • Also, the keyword owning IN verify the contents of the content key H(file) with the content key owning IN to ensure that the publisher is not sending bogus content. This verification is done by searching for the content key and waiting for a valid reply. Overview Downloader Keyword Key IN Publisher Content Key IN KW PUB RQ CONT PUB RQ PUB VER RQ PUB VER RES PUB VER RQ PUB VER RES LOC VER RQ LOC VER RES CON PUB RES Overview Downloader Keyword Key IN Publisher KW SEARCH KW RES CONT SEARCH CONT RES CONT DONWLOAD FB REQ FB RES FB REQ FB RES Content Key IN Issues in WINNOWING • The user feed back records are maintained and distributed to potential downloaders by the IN itself. – Therefore, there are no guarantees on the integrity and the trustworthiness of the score published by the IN. – User feedback records might be forged by the adverse IN to reflect positive feedback. – Adverse IN might advertise positive reputation (i.e. high scores) about it self. Issues in WINNOWING • The scheme uses Imbalanced User Feedback Mechanism (IUF) in which the downloader vote negatively by sending a big file (few megabytes). This mechanism aims to: – Penalize the adverse IN which publishes bogus index records by exhausting its bandwidth when receiving the negative votes from the downloaders. – Discourage the downloaders from voting negatively to reduce the impact of Reverse Voting attacks in damaging the reputation of a benign IN. – What if an adversary with super bandwidth resources used that mechanism to exhaust an IN bandwidth and buffer resources? Motivation 1. Reputation counts a lot in P2P systems! – It is the critical success factor to secure the P2P network against the polluters. – Assign the responsibility of maintaining the user feedback records (votes) to a trusted entity. • Secure storage for the downloaders’ votes. • Trusted issuance of reputation reports (score certificates). Motivation 2. Bandwidth penalty is costly. – It affects all hosts in the domain (not only the bad guy) and it hurts a lot if employed in performing DoS attacks. • Reduce the threat of employing the IUF mechanism in launching DoS attacks while preserving the same penalizing Impact. • Let the downloader pay a cost of a resource that does not directly affect the IN (i.e. other than bandwidth). • Penalize the IN that receives a negative vote without affecting its bandwidth. Assumptions & Threat Model Active Members Attacks Downloader/Benign Voter IN Insertion Benign IN Reverse Voting Adverse Voter DoS Adverse IN Score Forgery Assumptions & Threat Model Attack IN Insertion Reverse Voting Score Forgery DoS Committer Adverse IN Adverse Voter(s) Adverse IN Adverse Voter(s) Victim Downloader Benign IN Downloader Benign IN Index Node Insertion Adverse IN Potential Downloaders An adverse IN distributes bogus index records in the P2P system. Reverse Voting Colluding Voters Adverse IN A single or multiple colluding voters target a benign index node by voting negatively to it aiming to decrease its score and hurt its reputation in the system. Reverse Voting Colluding Voters Benign IN A single or multiple colluding voters target a benign index node by voting negatively to it aiming to decrease its score and hurt its reputation in the system. Score Forgery Victim Downloader Adverse IN Potential Downloaders An adverse index node forges the negative vote records it has received so it reflects a good score (and hence, reputation) to the potential downloaders and attracts them to its bogus index records. Approach • Introduce Trusted Voting Center (TVC) that is responsible for the following: – Receiving, storing, and maintaining the downloader votes for a group of INs. – Producing score certificates periodically and distributed them on the relevant INs. – Preserving the penalty concept introduced by WINNOWING on both: negative voters and INs. Approach • TVC addresses the main three issues in WINNOWING’s reputation management: – Minimize the potential of DoS and Reverse Voting attacks. – Guarantees the integrity of votes and scores. – Reduce the impact of IN Insertion. Assumptions (TVC) • It is sufficiently secure server that cannot be compromised by the adversaries in the system. • It has sufficient bandwidth, memory, and computational resources. • The TVC uses PKC to sign the score reports that it generates, which protects these score reports against . • The overall system is assumed to be sufficiently synchronized with an authentic global time service. TVC Overview TVC Downloader Publisher CONT DNLD USR FEEDBACK REQ CLIENT PUZZLE PUZZLE SOL, VOTE SCORE READY ANNOUNCEMENT , CLEINT PUZZLE PUZZLE SOLUTION SCORE CERTIFICATE Content Key IN Voting Process Previously voted for the same index node Voting Request Received No Create and send the puzzle to the voter. Set puzzle hardness as default. Puzzle solution received. Retrieve User's History and set the puzzle hardness Puzzle Solution Timed-out? No Check the requested vote type. Yes Positive Negative Verify the solution. Incorrect Correct Yes Ignore the Vote Compare the sent vote type with the requested vote type. Mismatch Match Process the Vote Update the User Profile Record a “bad behavior” incident. Score Reporting 1: Retrieve the Index Node Score 2: Set the certificate validity and the puzzle hardness based on the Index Node score. 4: Inform the Index Node about the certificate and send the puzzle to it. 3: Issue a digitally signed score certificate 5: Puzzle solution received. 6: Verify the solution. Correct Incorrect 7a: Send the certificate. 7b: Don’t send the certificate. 8: Wait for the new cycle. Score Reporting Adverse IN Users TVC T0 T1 T2 T3 Security Analysis of TVC Resilience to IN Insertion Attack Resilience to Reverse Voting Attack DoS Mitigation Security Analysis of TVC 1. Resilience to IN Insertion Attack: • Adverse INs eventually converge to a low score due to guaranteed integrity of votes. • Eventually filters out bogus index records due to zero-validity score threshold. • TVC signature of score certificates prevents forgery of certificates. Security Analysis of TVC 2. Resilience to Reverse Voting Attack: • TVC ensures votes are from a live IP and are unique per index record. • Very limited impact if colluders try to boost an adverse IN score or reduce benign IN score. • Negative votes result in high computational cost. Security Analysis of TVC 3. DoS Mitigation: • TVC preserves the server resources by only processing unique votes from legitimate voters. • The vote message is of a small size (~1 KB) which adversely reduces the impact of DoS on the server. • Increased computational cost towards voters for successive bad behaviors. Model Description Resilience to IN Insertion Attack Reduction in DL Failures Due to Adverse IN – Analytical Model Resilience to Reverse Voting Attack Benign IN Reputation Protection – Analytical Model DoS Mitigation OPNET Simulation Model Description 1. Reduction in Download Failures Due to Adverse IN • Global time interval i. • IN starts with perfect score of 100. • Peer arrivals to system Poisson distributed with mean λ per interval. • All arrivals in valid interval seek to download from adverse IN. • All downloads attempted via adverse IN fail. • AIAD scoring scheme employed. Model Description Pwilling neg. vs. Score 1 0.9 0.8 Pwilling neg. 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 20 40 60 Score 80 100 Model Description Results DL Failures Due to Adverse Index Node 40 Winnowing Scenario TVC Scenario, = 25 download failures 35 TVC Scenario, = 30 TVC Scenario, = 40 30 25 20 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100 time • • Consistent DL failures due to adverse IN in WINNOWING. DL failures in TVC decrease and eventually cease once zero-validity score threshold reached. Results Benign Index Node Score 100 TVC Scenario, k = 45 Winnowing Scenario, k = 45 TVC Scenario, k = 60 Winnowing Scenario, k = 60 TVC Scenario, k = 75 Winnowing Scenario, k = 75 90 80 score 70 60 50 40 30 20 10 0 0 5 10 15 20 time • • Liar farm remains effective in WINNOWING scheme TVC allows for quick recovery of IN score after liar farm exhausts votes Results • Computational cost vs. bandwidth cost results in a fruitful impact on server resources. • Service queue size exponentially smaller in TVC. Conclusion 1. TVC guarantees integrity of users’ votes and IN score reports. • Mitigates long-term effects of IN Insertion Attack. 2. TVC guarantees isolation and effective lock-out against adverse voters • Adversely decreases effects of Reverse Voting Attack. 3. TVC client puzzle approach guarantees all votes received from live IPs. • Dramatically reduces effectiveness of DoS Attack. • Requires exponentially more colluding users to be as effective as the DoS against WINNOWING scheme. Future Work 1. Performing more advanced analysis to make adaptive and more efficient decisions in dealing with voter feedback. 2. Enabling the joint detection of colluding voters based on group behavioral patterns: • Isolate potentially large liar farm before benign IN’s reputation is corrupted. 3. Dealing with scalability issues with a large number of peers in single server system: • How to map index nodes to multiple TVCs in larger systems? Thank You Questions & Comments